History: Tiki Suite brainstorming

Security

Make sure we have a Security roadmap with all current chosen components, as we don't want to change later to improve security.

Desktop environments

See also: Tiki Suite Desktop

User have choice, but we should pick a suggested minimal Linux desktop. By default, no apps, and users install / activate what they need.

• Todo: try https://susestudio.com/
• Todo: document shared drives for data
• http://www.reddit.com/r/linux/comments/2c4ps0/if_linux_desktop_environments_were_knives/
• http://en.wikipedia.org/wiki/Comparison_of_X_Window_System_desktop_environments
• http://www.zdnet.com/six-clicks-2014s-top-linux-desktops-7000026367/
• http://www.engadget.com/2012/11/30/how-to-pick-a-desktop-environment-in-linux/
• http://www.techradar.com/news/software/operating-systems/best-linux-desktop-which-is-ideal-for-you--1194516
• http://www.clearcenter.com/support/documentation/clearos_guides/install_graphical_desktop_for_clearos
• https://www.openhub.net/orgs/xfce

Single Sign On (SSO)

ClearOS permits centralized user & group management. So a user has the same username & password for ClearOS (to update their password and user certificates for OpenVPN), Tiki, XMPP (Prosody & Jitsi), Email (Zarafa & Thunderbird) and Flexshares (Samba shared folders accessible locally or via VPN). The system can also permit / restrict usage of many of the ClearOS apps. BigBlueButton & Kaltura users authenticate through Tiki, but it would be better if they could also authenticate directly to ClearOS. OwnCloud has OpenLDAP integration with ClearOS (Not in Tiki Suite, but still very useful for any ClearOS instance)

However, users still need to login to each app. We should progress to a Single Sign On solution. ClearOS should be an IdP (Identity Provider) and also should be able to be a SP (Service Provider).

Related:
ClearOS: Investigate the addition of a Single Sign On (SSO) solution
http://tracker.clearfoundation.com/view.php?id=1873

ClearOS: Add two-factor authentication
http://tracker.clearfoundation.com/view.php?id=1412

Protocols:

• SAML
• OpenID Connect
• Central Authentication Service (CAS)
• etc.

User story:

1. Login to ClearOS (or perhaps to any of the apps)
2. Have links to all apps available in SSO. This should be made available to the apps so they can include in their GUI (ex.: nav bar)
3. User clicks on any link in the nav bar, which takes to that site, and logs them in transparently and securely

Target apps for Tiki Suite

• Zarafa webmail
• Tiki Wiki CMS Groupware
• Web interface to XMPP server as per http://tracker.clearfoundation.com/view.php?id=1714

Other target apps for ClearOS:

• Joomla!
• WordPress
• OwnCloud

Desktop & mobile apps should also be covered.

Since ideally, ClearOS can act as an IdP, it would be best to support the protocols used by a large enough number of apps

Related projects

Related links

• http://www.trishburgess.com/trishs-blog/intro-to-openid-oauth-and-saml
• https://packagist.org/search/?q=saml
• https://packagist.org/search/?q=openid
• https://packagist.org/search/?q=cas
• https://packagist.org/search/?q=oauth
• https://packagist.org/search/?tags=OpenID%20Connect
• http://www.softwaresecured.com/2013/07/16/federated-identities-openid-vs-saml-vs-oauth/
• http://www.onelogin.com/application-vendors/the-difference-between-openid-saml-and-oauth/
• http://www.onelogin.com/application-vendors/openid-or-saml-for-enterprise-sso/
• https://www.drupal.org/project/simplesamlphp_auth
• https://www.drupal.org/project/openid_connect
• https://www.drupal.org/project/saml_sp
• https://www.drupal.org/project/oauth2_server
• http://openid.net/developers/libraries/
• https://developers.google.com/google-apps/sso/saml_reference_implementation?csw=1
• https://developers.google.com/accounts/docs/OAuth2Login
• http://www.gluu.org/docs/#what-are-the-future-identity-protocols-and-is-the-gluu-server-future-proof
• https://blog.surfnet.nl/wp-content/uploads/2013/04/SURFnet-OpenID-Connect-1.1-.pdf